System and method for password authentication for non-LDAP regions

ABSTRACT

A system and method for allowing roaming of a subscriber and password authentication a non-LDAP region. A user signs onto a network access server which in turn connects to the regional LDAP RADIUS server. Password authentication occurs by hashing a transmitted password and comparing it to a clear text password from an LDAP database that has been hashed in the same manner as the transmitted password. When the subscriber is in a non-LDAP region, The password proceeds trough a proxy server to a regional RADIUS server which connects to a non-LDAP server. The non-LDAP server connects to and SMS database and retrieve the clear text password associated with the non-LDFSAP user, hashes it according the same method as the transmitted hashed password and formats the password for comparison in the regional RADIUS server. If the hashed passwords compare, the access is permitted.

FIELD OF THE INVENTION

[0001] This invention relates generally to connection to the Internetfor computers that are not within their original ISP region. Moreparticularly, the present invention is a system and method for a dial-uproaming architecture that allows Internet connections for individualswho are not within their original ISP region.

BACKGROUND OF THE INVENTION

[0002] Internet connection is typically accomplished by an InternetService Provider (ISP) signing up an individual who can then sign on tothe Internet via connectivity that is provided by the ISP. Thistypically takes the form of a dial-up modem or other type of Internetconnection via the ISP. In the case of a cable internet infrastructure,the connection is via a cable modem. In the case of a digital subscriberline (DSL) internet infrastructure, the connection is via a DSL modem.Thereafter, the user can access the Internet based upon the speed of theconnection to the ISP.

[0003] A problem occurs when an individual user is no longer presentwithin the region that is covered by the cable or DSL ISP. This occurswhen individuals are traveling or “roaming” to an area other than thearea where service is provided by the user's ISP.

[0004] When using a cellular telephone, this procedure is very commonlyencountered by travelers who go from one geographic region to another.Basically travelers are then assigned to a roaming status and theirpresence within a particular calling area is noted with informationsubsequently provided to the home network, allowing home network tocontact the user who is “roaming.”

[0005] To solve this problem, currently many users keep a dial-up ISPsuch as the Microsoft Network to allow them to have access to theInternet when they are away from home. This avoids some of the issuesassociated with different formats that support dial-up roaming but doesnot allow, for example, access to the features of a cable internetconnection.

[0006] Currently, one such protocol that can be used as a directoryservice to allow people to locate other people on the Internet is calledthe Lightweight Directory Access Protocol or LDAP. LDAP is a directoryservice specification that is generally accepted in the Internet. Such adirectory service allows people to locate other people or services. Sucha directory service is basically a database that can be searched andmanipulated in a number of ways to display information about a networkand its resources. One such use is to create and manage user accountsincluding access by registered users to LDAP enabled networks.

[0007] Although LDAP service is widely accepted over the Internet, thereare many Internet Service Providers who are not LDAP compatible orenabled. These non-LDAP networks may be affiliated with other networkswhich are LDAP enabled. In such cases it is difficult to verify that auser is authorized to use a non-LDAP network when the user is trying toaccess the network via dial-up connection. While LDAP does provide agood solution to support and authenticate users who are roaming, forthose ISPs who are not LDAP enabled, to upgrade to a standard LDAParchitecture requires expensive architectural changes that many ISPs arenot inclined to make.

[0008] Many such non- LDAP ISPs use different subscriber managementsystems (generally referred to herein as SMS) with differently formatteddatabases. If a user is roaming and is attempting to connect to as asubscriber from a non- LDAP region, any subscriber management system inthe non- LDAP region would need to be kept in synchronization with anauthentication database that exists in centralized LDAP database. Todate, there is no efficient access to data for authentication purposesfrom a non- LDAP region to an LDAP region.

[0009] What is therefore required is a system and method for allowingusers to roam outside of their home regions and to log on to theirrespective ISPs via dial-up networking whether the home region is LDAPenabled or not.

SUMMARY OF THE INVENTION

[0010] It is therefore an objective of the present invention to allowusers to roam freely, yet connect to ISPs at different locations andaccess their home LDAP enabled authentication region.

[0011] It is a further objective of the present invention to allow usersto connect to non- LDAP based authentication regions and to allowsubsequent authentication to take place in an LDAP region.

[0012] It is a further objective of the present invention to enable acable modem or DSL subscriber whose account is assigned to a non- LDAPauthenticated site to be able to roam across the country and have accessto such services when they are away from their cable modem, i.e.,connecting to an ISP where they are located.

[0013] It is a further objective of the present invention to allowaccess to a cable modem or DSL infrastructure using a telephone modemdial-up connection.

[0014] It is yet another objective of the present invention to create aregional remote authentication dial-in user service (RADIUS) so thatsecure authentication can take place.

[0015] It is yet another objective of the present invention to create anauthentication mechanism so that secure authentication can take placeregardless of the format of information in the subscriber managementdatabase.

[0016] These and other objectives of the present invention will becomeapparent to those skilled in the art from a review of the specificationthat follows.

[0017] The present invention allows a user to be away from the user'scable modem connection and use a local dial-roaming telephone number,and analog modem, together with client dial-up software to dial into alocal Dial Access Provider (DAP). The DAP forwards an access requestover a Network Access Server (NAS) over a local Internet network.

[0018] That request for access proceeds to a corporate RADIUS serverwhich authenticates the request of the user against an LDAP database. Ifthe user is authenticated against the directory of the LDAP database,access to the cable modem services are allowed.

[0019] Operating in this mode, the NAS operates as a client of thecorporate RADIUS server. The NAS is responsible for passing userinformation to the corporate RADIUS server and then acting on theresponse that is returned.

[0020] The corporate RADIUS server receives user connection requests,authenticates the user, and provides configuration information to theNAS to deliver service to the user who is dialing in.

[0021] Transactions between the corporate RADIUS server and the NAS areauthenticated through unique identification and exchange of secretinformation relating to identity. This information is not sent in theclear over the network.

[0022] The NAS creates an access request containing such attributes asthe user name and password. The access request is sent to the corporateRADIUS server for authentication. The RADIUS server then determines towhich region the user belongs by comparing the user's region which is,in part a function of a naming convention such as (user name@region.rr.com). This is compared against the region's site type in theconfiguration file, that is, LDAP or non- LDAP. If the region is an LDAPregion, the authentication request is forwarded to the regional LDAPdatabase. The LDAP database then checks its database directory and, ifthe user is present in the database and password is correct returns an“accept” message or a “deny” message if the user is not in the database.

[0023] If the region in which the user is located is not an LDAP basedregion, the corporate RADIUS server will proxy to an appropriateregional RADIUS server. The regional RADIUS, having received theauthentication request in the form of a user name and CHAP hashedpassword, retrieves the user's clear text password from the subscribermanagement system (SMS) or account management system (AMS) associatedwith the non- LDAP region. The system then hashes the clear textpassword from the SMS/AMS database using the Challenge HandshakeAuthentication Protocol (CHAP) and compares it to the incoming passwordwhich is, in the preferred embodiment, also CHAP hashed and returns an“accept” message if the user is present in the SMS/AMS database or a“deny” message if the user is not present in the database. When thepasswords are CHAP hashed as noted above, the presence of the passwordand comparison to the transmitted password is accomplished by comparingthe two hashes. If they exactly mathc, then the suer is poresent in thedatbase and an “accept” message is transmitted. If the hashes do NOTmatch, the a “deny” message is sent. It should be noted that the CHAPhashing is not meant as a limitation. Passwords may be sent “in theclear” although this is not recommended for security reasons, or otherhasing algorithms can be use to hash the password that are sent andcompared.

[0024] It is also within the scope of the present invention to performthe hashing of passwords noted above regardless of the type of region(LDAP/non-LDAP) in which the user and the users access service islocated

[0025] Regardless of the site type, user names and passwords are hashedso as not to be sent in clear text, thereby affording an additionalelement of security.

[0026] When a user completes a dial-in session, the user isdisconnected. The NAS server then notifies the corporate RADIUS that thedial-in session has terminated.

[0027] The system has the advantage of not requiring major upgrades tonon-LDAP regions. For example, for an SMS site, no new hardware would berequired since a regional RADIUS will be installed on the existing SMSservers. For AMS sites, an upgrade can be accomplished in a costeffective fashion by using, for example and without limitation, a CompaqProliant 3000 256 megabytes of RAM and mirrored 5 GB disk drives. Such asystem would operate using Windows NT 4.0 and other software generallyknown in the art.

BRIEF DESCRIPTION OF THE FIGURES

[0028]FIG. 1 is an overall architectural view of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

[0029] As noted above, the present invention is a system and method forallowing both LDAP and non-LDAP users to freely roam in differentregions of the country and connect to all of the cable or DSL networkfunctionality via dial-up connection.

[0030] Users 10 and 12 who are roaming outside of the service region ofthe cable network provider connect via a dial-up modem connection, orother type of wired or wireless connection to a network access server14. Naming conventions for users who are roaming allow user 10, forexample, who is serviced via an LDAP region to access email and othercable network features by virtue of the email address. Regions with LDAPservice and regions without LDAP service are differentiate by virtue oftheir addresses. The network access server 14 connects to the localInternet Service Provider 16 and, via a dedicated communication line 18,which may, for example, be a T1 line. However, this is not meant as alimitation. Any dedicated high bandwidth line or access both wired andwireless would be suitable for the present invention. The local ISP thenconnects to the corporate RADIUS server 20 for those users who are in aregion that is LDAP enabled. The corporate RADIUS server 20 communicateswith the LDAP regional server 24 to determine if the user is in the LDAPdatabase 26. If the user is in the LDAP database 26. The regional LDAPserver 24 authenticates the user to the corporate RADIUS server 20 whichthen sends the appropriate accept or deny signal through thecommunication link 18 over the local ISP 16 through the network accessserver 14, to the roaming customer 10.

[0031] If the customer is in a non-LDAP region, customer 12 dials in viathe network access server 14, over the local ISP 16 and again overdedicated network 18 to the RADIUS server 22. The RADIUS server thenproxies the request for access to a regional RADIUS server 28 whichconnects to the non- LDAP region server 30 which in turn has asubscriber management system (SMS) or account management system (AMS)database 32. Through a view into the non- LDAP region server 30, thesystem determines if the roaming customer 12 is permitted access. Ifsuch access is permitted, a message is sent by the non-LDAP regionserver 30 to the regional RADIUS 28 to the RADIUS server 22. Thereafterthe accept or deny signal is sent via the dedicated network 18 via thelocal ISP 16 over the network access server 14 to the roaming customer12.

[0032] In this fashion, roaming customers who are in a region which isnon- LDAP enabled can still use an access cable or DSL service via aregional RADIUS server which is a relatively inexpensive upgrade toexisting systems. Thus, non- LDAP enabled regions do not have to engagein expensive upgrades in order to allow roaming customers to have accessto their systems.

[0033] A system and method to allow roaming customers to have access toLDAP or non- LDAP enabled regions has now been illustrated. It will beappreciate by those skilled in the art that other variations of thepresent invention are possible without departing from the scope of theinvention as disclosed.

1. A method for dial roaming for users having a home non-LDAP(Lightweight Directory Access Protocol) region to allow accesscomprising: dialing into a local dial access provider; creating anaccess request; forwarding the dial access request to a corporate remoteauthentication dial-in user service (RADIUS) server; proxying therequest to a regional RADIUS server associated with the user's homeregion; accessing the regional user database to determine if the user ispresent in the regional database; authenticating the user; and providingconfiguration information to the user to allow access to the network. 2.The method for dial roaming of claim 1 wherein the access request isforwarded to an access provider via a network access server (NAS). 3.The method of claim 2 wherein the NAS functions as a client of thecorporate RADIUS server.
 4. The method of claim 1 further comprising:the corporate RADIUS server determining if the user is a member of anLDAP or non-LDAP region.
 5. The method of claim 4 wherein thedetermining if the user is a member of an LDAP or non-LDAP region isaccomplished by reviewing a configuration file stored in the corporateRADIUS server.
 6. The method of claim 1 further comprising forwardingthe access request to a regional LDAP database if the home region isLDAP enabled.
 7. The method of claim 6 further comprising the regionalLDAP database authenticating the user.
 8. The method of claim 7 furthercomprising the regional LDAP database sending an “accept” message if theuser is in the regional LDAP database and a “deny” message if the useris not in the regional LDAP database.
 9. The method of claim 1 whereinthe access request comprises a user name and password.
 10. The method ofclaim 9 wherein the user name comprises a regional naming convention foridentifying the home region of the user.
 11. The method of claim 9wherein the user name comprises an email address of the user.
 12. Themethod of claim 9 further comprising comparing the user password to thepassword stored in the non-LDAP database.
 13. The method of claim 12wherein the password from the database is CHAP hashed, and wherein thepassword delivered to the database is CHAP hashed, and wherein thepassword comparison comprises comparing the CHAP hashed passworddelivered to the database with the CHAP hashed password extracted fromthe database.
 14. The method of claim 12 wherein the database of thenon-LDAP regions is an subscriber management system (SMS) database. 15.The method of claim 9 wherein the password is hashed to maintainsecurity.
 16. A system for dial roaming for users having a home non-LDAPregion to allow access comprising: a user computer having a home serviceregion for creating a network access request; a dial up connection overa first network to a network access server (NAS) in a roaming area: asecond network connected to the NAS for receiving the network accessrequest; a local network service provider connected to the secondnetwork; a third network connected to the network service provider; acorporate RADIUS server connected to the third network for receiving theaccess request; and a regional LDAP server comprising a user databasefor authenticating the user access request and for allowing access tothe regional network.
 17. The system of claim 16 further comprising aregional RADIUS server connected to a non-LDAP regional server connectedto the second network for receiving the access request.
 18. The systemof claim 17 wherein the non-LDAP regional server further comprises auser database and access instructions for authenticating the user accessrequest in the non-LDAP server database.
 19. The system of claim 18wherein the database is an SMS database.
 20. The system of claim 16wherein the user access request comprises a user ID and password. 21.The system of claim 20 wherein the NAS further comprises instructionsfor hashing the user ID and password to enhance security.
 22. The systemof claim 18 wherein the non-LDAP server further comprises instructionsto permit access if the user is in the database and to deny access ifthe user is not in the database.
 23. A system for authenticating usersusing a standard RADIUS protocol against a non-standard subscribermanagement system and database comprising: a RADIUS server, having aRADIUS authentication protocol, connected to a first network forreceiving an access request from a user; a subscriber management server,connected to a second network, comprising a user database forauthenticating the user access request over the second network; and adatabase view created in memory on the subscriber management server forproviding user access information in the correct format for the RADIUSauthentication protocol.
 24. The system for authenticating users using astandard RADIUS protocol against a non-standard subscriber managementsystem and database of claim 23 wherein the user access request is ausername and password.
 25. The system for authenticating users using astandard RADIUS protocol against a non-standard subscriber managementsystem and database of claim 24 wherein the username is and emailaddress.
 26. The system for authenticating users using a standard RADIUSprotocol against a non-standard subscriber management system anddatabase of claim 24 wherein the password from the user database is CHAPhashed to compare to the password presented in the user access request.27. The system for authenticating users using a standard RADIUS protocolagainst a non-standard subscriber management system and database ofclaim 26 wherein the subscriber management server further comprisesinstructions for sending an “accept” message to the RADIUS server if theuser password from the user database matches the user password presentedin the user access request, and for sending a “deny” message to theRADIUS server if the user password from the user database does notmatche the user password presented in the user access request.